Cisco Advanced Threat Security
Steve Gindi
v1.2
Cyber Security For The Real World

Advanced Threat Security
What is Advanced Malware?
• Advance Malware is sophisticated malware designed to bypass traditional
POINT IN TIME defenses such as Anti-Malware Engines, Sandboxes, etc.
Malware utilizes techniques such as Encryption, Polymorphism, Sleep
Techniques. Also known as Zero Hour Exploits, Advanced Persistent Threats.
• Attack surface is typically found with Email and Web based traffic.
• Top 5 Security Concern for CIO/CSO’s.
• Very Public Hacks in 2013/2014 that affects Brand.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 2

The Way We Do Business Is Changing
Making it more difficult to protect your network
Mobile Coffee shop Corporate Home Airport
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 3

The Industrialization of Hacking
Hacking Becomes
an Industry
Sophisticated Attacks,
Complex Landscape
Phishing, Low
Sophistication
1990 1995 2000 2005 2010 2015 2020
Viruses
1990–2000
Worms
2000–2005
Spyware and Rootkits
2005–Today
APTs Cyberware
Today +
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 4

Most dangerous threats
Approach
Tactic
Impact
Threat
vector
Watering hole Spear phishing Dropper
Infect or inject a trusted site
Conduct reconnaissance
on a target
Deliver an exploit that will attack
Target users through
compromised links
Leverage social engineering
Deliver an exploit that will attack
Deliver malware with stealth and
self-deleting programs
Gain access through DLL injection
and control firewalls, antivirus, ect
Compromises system control,
personal data and authorizations
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 5

The Silver Bullet Does Not Exist…
Application
Control
Sandboxing
“Detect the
Unknown”
“Fix the Firewall”
“Captive Portal”
IDS / IPS
UTM
PKI
“No key, no access”
“It matches the pattern”
NAC
“No false positives,
no false negatives.”
FW/VPN
AV
“Block or Allow”
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 6

Perfect Fit for The New Security Model
Attack Continuum
BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
DURING
Detect
Block
Defend
Advanced Malware Protection
NGIPS
Network Behavior Analysis
ESA/WSA
Firewall
NGFW
NAC
+
Identity
Services
VPN
UTM
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 7

Cisco - Advanced Threat Security
v1.2

Why are we still Struggling??!!??!!
Complexity Visibility Cost
• Multi-Vendor
• Redundancy
• Training
• Hardware
• Power
• Rack Space
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 9

engineers, technicians, and researchers
PH.D., CCIE, CISSP, AND MSCE users
AnyConnect®
600+
80+
Cisco
IPS
Cisco ESA Cisco ASA Cisco WSA
Control
Cisco
Cisco
CWS
WWW
TALOS
Outstanding Cloud-based Global Threat Intelligence
Endpoints
24x7x365
operations
40+
languages
Devices
Networks
Visibility
WWW
Web
Email
IPS
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
35%
worldwide email traffic
13 billion
web requests
More than US$100
million
spent on dynamic research and development
3- to 5-
minute updates
5,500+
IPS signatures produced
8 million+
rules per day
200+
parameters tracked
70+
publications produced
Cisco® SIO
Information
Actions
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 10

Cisco Email Security Architecture
Inbound Protection Outbound Control
Threat Defense
Antispam
Antivirus and Virus Outbreak Filter
Data Security
Data Loss Prevention
Encryption
Flexible Deployment Options Appliance Virtual
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 11

Gartner Magic Quadrant for Secure Email Gateway, 2014
The Magic Quadrant is copyrighted 2014 by Gartner,
Inc. and is reused with permission. The Magic
Quadrant is a graphical representation of a
marketplace at and for a specific time period. It
depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as
defined by Gartner. Gartner does not endorse any
vendor product or service depicted in the Magic
Quadrant, and does not advise technology users to
select only those vendors placed in the "Leaders”
quadrant. The Magic Quadrant is intended solely as
a research tool, and is not meant to be a specific
guide to action. Gartner disclaims all warranties,
express or implied, with respect to this research,
including any warranties of merchantability or fitness
for a particular purpose.
This Magic Quadrant graphic was published by
Gartner, Inc. as part of a larger research note and
should be evaluated in the context of the entire
report. The Gartner report is available upon request
from Cisco.
Source: Magic Quadrant for Secure Email
Gateways: http://www.gartner.com/technology/
reprints.do?id=1-1GT4N4C&ct=130702&st=sb
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 12

Cisco Web Security Architecture
WWW
Cisco Security Intelligence Operations (SIO)
PROTECTION CONTROL
URL
Filtering
Application
Visibility and
Control (AVC)
*Data Loss
Prevention
(DLP)
Layer 4 Traffic
Monitoring
(On-premises)
Malware
Protection
Centralized Management & Reporting
WWW Allow
Limited Access
WWW WWW
Block
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 13

Gartner Magic Quadrant for Secure Web Gateway, 2014
The Magic Quadrant is copyrighted 2014 by Gartner,
Inc. and is reused with permission. The Magic
Quadrant is a graphical representation of a
marketplace at and for a specific time period. It
depicts Gartner’s analysis of how certain vendors
measure against criteria for that marketplace, as
defined by Gartner. Gartner does not endorse any
vendor product or service depicted in the Magic
Quadrant, and does not advise technology users to
select only those vendors placed in the "Leaders”
quadrant. The Magic Quadrant is intended solely as
a research tool, and is not meant to be a specific
guide to action. Gartner disclaims all warranties,
express or implied, with respect to this research,
including any warranties of merchantability or fitness
for a particular purpose.
This Magic Quadrant graphic was published by
Gartner, Inc. as part of a larger research note and
should be evaluated in the context of the entire
report. The Gartner report is available upon request
from Cisco.
Source: Magic Quadrant for Secure Web
Gateways: http://www.gartner.com/technology/
reprints.do?id=1-1VSLKXG&ct=140624&st=sb
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 14

Cisco Next Gen Firewall Architecture
Cisco Collective Security Intelligence Enabled
FireSIGHT
Analytics & Automation
CISCO ASA
WWW
URL Filtering
(subscription)
Identity-Policy Control &
VPN
Advanced Malware
Protection
(subscription)
Intrusion Prevention
(subscription)
Application
Visibility &Control
Clustering &
High Availability
Network Firewall
Routing | Switching
Built-in Network
Profiling
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 15

NSS Labs: Next Generation Firewall
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 16

AMP on Email, Web & Firewall
• Blocks known and unknown files
• Reputation verdicts delivered by AMP cloud intelligence network
• Behavioral analysis of unknown files
• Looks for suspicious behavior
• Feeds intelligence back to AMP cloud
• Continuous analysis of files that have traversed the gateway
• Retrospective alerting after an attack when file is determined
to be malicious
File
Reputation
File
Sandboxing
File
Retrospection
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 17

Point-in-time
Detection
Antivirus
Sandboxing
Initial Disposition = Clean
Initial Disposition = Clean
AMP
Blind to scope
of compromise
Analysis Stops
Never 100%
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Retrospective Detection,
Analysis Continues
Actual Disposition = Bad = Blocked
AMP is unique in the way it
reevaluates information. If new
data shows known-good files
actually aren't good or have
turned bad, AMP re-mines its
data set and automatically
transmits notifications to
customers to trigger
remediation.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 18

NSS Labs: Advanced Malware Protection
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 19

AMP Everywhere
Secure Gateway Network Appliance Endpoint
• Stops threats before they
enter the network
• Easy activation
• File Trajectory &
Retrospective Security
• Ideal for new or existing
Cisco Email or Web Security
customers
• Effective upsell for all
existing customers
• Wide visibility inside the
network with File Trajectory
& Retrospective Security
• Layered with network threat
defense (IPS/NGFW) &
event correlation
• Broad selection of features-before,
during and after an
attack
• Ideal for IPS/NGFW
customers
• Granular visibility and control
at the endpoint level with
Device Trajectory, File
Trajectory & Retrospective
Security
• Protection for mobile and
remote devices
• For advanced customers
wanting comprehensive
threat protection,
investigation & response
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 20

Why Cisco??
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 21

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 22